Cyber security

On 27 November 2021 CS Energy became aware that a ransomware incident had occurred on our ICT network. The incident occurred on CS Energy’s corporate network and did not impact safety or operations at our power stations.

We immediately notified relevant state and federal agencies, and worked closely with them and other cyber security experts to restore our systems and investigate the incident. We remained in regular contact with our employees and customers.

There is no indication that the incident was a ‘state-based’ attack. Our cyber security experts have attributed the attack to a known group of cyber criminals.

We have made, and continue to make, significant improvements to the security of our systems. We undertook a comprehensive post-incident review of our systems and continue to implement measures to update our security technology, procedures, training and awareness. We also remain committed to managing personal information with respect and in accordance with all relevant privacy laws.

Privacy and personal data

Our investigation identified that historical personal data of some CS Energy employees was accessed during the incident.

CS Energy takes this issue extremely seriously and is committed to protecting the privacy of personal information provided to us for the purpose of our business activities.

We contacted relevant current and former employees to inform them about the data breach and steps they could take to protect their information online. We also provided them with access to free support from IDCARE (see below), Australia’s national identity and cybersecurity community support service.

We also notified the Office of the Australian Information Commissioner (OAIC) in accordance with our obligations under the Privacy Act 1988.

Accessing support

If you are concerned about the potential misuse of your personal information, we have arranged free support for current and former CS Energy employees from IDCARE, Australia’s national identity and cybersecurity community support service. Please engage an IDCARE Case Manager via IDCARE’s Get Help Web Form at www.idcare.org/contact/get-help using the referral code CSN22.

IDCARE’s National Case Management Centre can also be called between 8am and 5pm Monday to Friday AEST (excluding public holidays) on 1800 595 160.

FAQS

What type of personal data has been accessed?

At this stage it appears that the type of information that might have been accessed for employees and job applicants prior to August 2010 includes:

• Full name
• Date of birth
• Tax file numbers
• Home address
• Bank account details
• Remuneration
• Onboarding reference checks
• Onboarding health checks
• Superannuation account details

I’m concerned about my personal data – what should I do?

We advise following prudent cyber security measures. These include:

• Changing passwords for internet banking, social media accounts (such as LinkedIn), and personal email. Wherever possible, you should activate two-factor authentication to banking, email, and other personal online accounts. If you are concerned your current bank account details might have been accessed, contact your financial institution regarding monitoring for unauthorised transactions.
• If you are concerned your tax file number may have been accessed, contact the Australian Tax Office (ATO) regarding monitoring for unusual activity.
• Be hyper-vigilant and alert to emails, phone calls and text messages:
  • Do not click on links in emails where you cannot verify the sender. Always check the address in the "from" line of any emails, even if the name looks legitimate.
  • Do not provide any personal, password or account information if you receive phone calls of messages from banks, utility companies, retail outlets or other organisations. Make your own enquiries first to verify the identify and legitimacy of the caller.
  • Use different passwords for your personal use and on corporate systems. Passwords should be complex (that is, more than 13 characters and include punctuation marks, capital letters and numbers)
  • The Australian Cyber Security Centre has additional useful resources for personal cyber security here: https://www.cyber.gov.au/acsc/view-all-content/advice/personal-security-guides
  • The Office of the Information Commissioner has further useful information about identify fraud here: https://www.oaic.gov.au/privacy/data-breaches/identity-fraud

Has this personal information been published on the internet?

At this stage there is no indication the information has been published. We will update you if this changes.

Who should I contact if I have further questions?

For general enquiries, please email cyberenquiry@csenergy.com.au

If you are concerned about the potential misuse of your personal information, we have arranged free support from IDCARE, Australia’s national identity and cybersecurity community support service.

Please engage an IDCARE Case Manager via IDCARE’s Get Help Web Form at www.idcare.org/contact/get-help using the referral code CSN22.

IDCARE’s National Case Management Centre can also be called between 8am and 5pm Monday to Friday AEST (excluding public holidays) on 1800 595 160.

Alternatively you may visit IDCARE’s Learning Centre for further information and resources on protecting your personal information: www.idcare.org/learning-centre.

Information for customers

We want to reassure our customers that there continues to be no impact to your retail electricity supply as a result of the recent cyber security incident on our ICT network. We have provided email updates to customers and will continue to keep you updated.

If you have any questions, please contact us via the following phone numbers:

• 1800 950 595 - for all billing enquiries
• 0438 237 587 - for all account management enquiries.

media releases

• CS Energy responds to cyber security incident - 30 November 2021
• Response to latest media reports about cyber security incident - 8 December 2021